Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Chinese Hackers Compromised Forbes.com Using IE, Flash Zero Days

A Chinese APT group has been linked to a watering hole attack on Forbes.com used to target defense and financial targets.

A Chinese APT group was able to chain together two zero day vulnerabilities, one against Adobe’s Flash Player and one against Microsoft’s Internet Explorer 9, to compromise a popular news site late last year.

The group’s aim was to gain access to computers at several U.S. defense and financial firms by setting up a watering hole attack on the site that would go on to drop a malicious .DLL.

Researchers with Invincea and iSIGHT Partners worked in tandem to dig up information about the group, which was able to compromise a part of Forbes.com’s website that appears to users before they’re ported over to articles they’ve clicked on. That portion of the site, Forbes.com’s Thought of the Day, is powered by a Flash widget.

According to researchers with Invincea the group was able to use a zero day vulnerability to hijack that widget for a short period, from Nov. 28 to Dec. 1. Over the course of those four days, the group targeted visitors to the site who worked at a handful of unnamed U.S. defense and financial firms.

Researchers with iSIGHT discovered that in addition to the Flash flaw, the attackers also exploited an Internet Explorer vulnerability, a zero day that helped attackers bypass Address Space Layout Randomization (ASLR) in IE 9.

In a technical writeup of the attack yesterday, Invincea explained how Forbes’ site was able to redirect to an IP address, load the Flash exploit, and drop a DLL, hrn.dll, to be loaded into the machine’s memory.

“Once in memory, the exploit gains administrative privileges and opens a command prompt,” Invincea’s executive summary reads, “Next the victim system was scanned to report on its current patch levels, network mapping, and complete IP configuration, including any VPN connections.”

Both firms agreed to set their disclosures for yesterday to coincide with Microsoft’s patching of the Internet Explorer bug.

While Chinese APT groups have been in the news lately – some reports have already pinned last week’s Anthem breach on shadowy hackers from the PRC – several firms are already familiar with the APT group behind this campaign. FireEye, first published research on the group back in 2013, referring to the collective as the Sunshop Group. Researchers there caught the group carrying out a campaign that hit a series of victims – a science and technology journal, a website for evangelical students, etc. – by exploiting an IE zero day and several Java bugs in May of that year.

Throughout its research, dating back to 2010, iSIGHT has taken to calling the group Codoso Team. This attack, like others its linked back to them, used similar malware (Derusbi) and called on a command and control (C+C) domain its been seen using in the past as well.

Regardless of what it goes by, the group has been seen targeting U.S. government entities, the military/defense sector, and financial services groups for at least five years running. FireEye found the same group was also responsible for hacking the Nobel Peace Prize Committee website in 2010. That attack also used a watering hole and made use of a browser (Firefox) zero day.

While neither iSIGHT or Invincea could give concrete numbers regarding the number of victims Codoso was able to compromise with this campaign, both were firm in their stance that the attacks were highly targeted in nature and only visitors who worked at the defense and financial firms were infected.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.